1. The Field of the Invention
The present invention relates to authentication. More specifically, the present invention relates to authentication using a one-time password.
2. Background and Related Art
In general, authentication involves confirming or verifying a user's identity, as opposed to authorization, which typically involves determining and enforcing a user's access permissions. Usernames and/or passwords are perhaps the most familiar authentication scheme to many. Current username/password authentication, however, suffers from a number of significant drawbacks.
For example, username/password authentication is subject to eavesdropping and brute force attacks. Eavesdropping attacks typically involve rogue entities, such as rogue network devices or rogue operators of legitimate network devices, that read and analyze passing network traffic. When network traffic appears to contain username/password information (or for that matter any type of sensitive or personal information), the acquired information is logged for further analysis and/or future use.
Brute force attacks generally involve guessing passwords and/or usernames. Frequently, usernames for specific users are either known or can be inferred. For example, unlike passwords which tend to be somewhat more arbitrary, usernames frequently have a strong resemblance to a user's actual name, public information about the user, or common words. Usernames generally are not considered by most to be confidential. As a result, brute force attacks are generally directed to passwords for known usernames.
Strictly speaking, a brute force attack implies trying all possible permutations in guessing a username/password. For example, a brute force attack on a four-digit PIN involves trying all 10,000 permutations of four digits (i.e., 0000-9999). Because remembering arbitrary information can be difficult, users often choose passwords that have some meaning. So-called dictionary attacks involve trying a limited set of permutations, such as commonly used words or numbers.
To help protect again brute force attacks, organizations often impose standards on allowable passwords, in terms of length, types of characters, expiration, similarity to previously used passwords, etc. For example, compare the four-digit PIN described above (10,000 permutations) with a four-digit password selected from numbers, uppercase letters, lowercase letters, and symbols (millions of permutations).
A wide variety of information may be available to a successful attacker. Depending on the access permissions associated with a particular username, an attacker may be able to gain access to sensitive personal information, business information, and/or personal information of other users. Such information may be used in connection with identify theft, fraudulent purchases, corporate espionage, and the like.
In order to protect usernames/passwords (and other information) from attack, encryption or other cryptographic techniques frequently are used. Encryption may be categorized as either symmetric or asymmetric. In symmetric encryption, the same key is used for both encryption and decryption. In asymmetric encryption, different keys are used for encryption and decryption. Public key infrastructures (PKIs), using a public/private key pair and a digital certificate, are examples of asymmetric encryption. Information encrypted with the public key can only be decrypted with the corresponding private key, and vice-versa. Typically, the public/private key pair and digital certificate are used for authentication and for exchanging a symmetric key to encrypt future exchanges, since continued use of the public/private key pair imposes a significant processing overhead, as compared to symmetric encryption.
Digital certificates and private/public keys are relatively bulky, and as indicated above, impose a certain amount of processing overhead. Furthermore, it is often difficult to transfer digital certificates and private/public keys from one device to another, making them a somewhat less attractive option for mobile computing devices. Authenticating for remote access from a public or third-party computer may not be practical, either because the remote access was not anticipated beforehand, and therefore the digital certificate and corresponding public/private key pair are not available, or because the potential for compromising the public/private key pair is simply too high.
Generally, for a given encryption algorithm, encryption strength depends on the length of the encryption key. Smaller keys are relatively easier to break than larger keys. Theoretically, however, given enough computing resources and time, it is possible to break virtually any encryption key. As an added precaution, therefore, encryption keys may be rotated periodically, so that even if one key is broken, information encrypted with other keys is not compromised.
For maximum protection, key rotation may occur after each key use. Key rotation after each use may be referred to as one-time pad encryption or simply one-time keys or passwords. With one-time passwords, subsequent passwords have no relationship to prior passwords. As a result, breaking one password does not provide any insight into what subsequent passwords might be. Conventionally, one-time pads require both ends of a communication to use the same technology, so that key usage at both ends may be synchronized. Although offering a high degree of protection, one-time passwords traditionally have imposed too much of a burden for general usage by the public at large. Furthermore, for wide-spread use, all potential parties would need access to the one-time password technology, which means that a trust relationship would already need to exist between all potential parties or that one-time passwords could not be used, like digital certificates and public/private key pairs, for authenticating arbitrary parties.
With the tremendous growth of on-line services, many users maintain accounts at multiple service providers. For users, maintaining multiple accounts often leads to selection passwords that are more easily remembered, and therefore more easily attacked. Aside from security consequences, on-line service providers have begun to recognize that it is inconvenient for users to authenticate to each service provider separately. Consider, for example, a user signing-on to a user account for his or her personal computer, then signing-on to a user account for his or her Internet service provider, then signing-on to a user account for email access, then signing-on to a user account at an on-line retailer to make a purchase. In addition to the complexity imposed by keeping track of each username and password, the user experience of constantly signing-on can be a source of frustration for the user.
In order to simplify authentication, some on-line service providers participate in single sign-on arrangements. Briefly, single sign-on allows a user to authenticate with one service in order to access services at one or more affiliated providers. Single sign-on effectively centralizes authentication within an authentication service. While perhaps improving the user experience, single sign-on also introduces a new risk. Because the authentication service maintains credentials (usernames, passwords, etc.) for a large number of users and potentially contains other personal, private, or secret information, the service is an attractive target for attackers, particularly in terms of exploiting any security vulnerabilities the authentication service has overlook or failed to appreciate. Accordingly, a relatively increased level of hostile resources may be focused on the authentication service, since if successful, an attack is likely to yield information about a comparatively large number of users.
As a result, methods, systems, and computer program products are desired that provide the benefits of one-time passwords for authentication, without requiring a trust relationship to exist between the authenticating party and the service requiring the party to authenticate, so as to facilitate wide-spread use and adoption among arbitrary parties. Furthermore, it is also desired to limit the authentication credentials that are stored by any one service so that even if a security breach occurs, only a portion of the authentication credentials needed to authenticate a user are at risk.